• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

How do LockOutRealms work ?

 
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am confused with the functioning of LockOutRealms in Tomcat.

My questions are as follows-:


  • Say user at IP 10.10.10.1 has reached the maximum number of invalid login attempts and is locked out. Now say a user from 10.10.10.2 attempts to login, will Tomcat stop him too since he is trying to login for the first time ? If not then how does Tomcat keep track of users that are locked out ? Via there IP's ?


  • When a user is locked out what message is displayed ? Can I display a custom HTML page when a user has been locked out ? In other words how much control do I have over the lock out process and what error messages are shown ?
  •  
    Saloon Keeper
    Posts: 28327
    210
    Android Eclipse IDE Tomcat Server Redhat Java Linux
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Although a quick check of the documentation didn't say, the usual lockout mechanism is to lock the userID, not the IP address. IP addresses are generally locked out at the firewall. Tomcat doesn't mark the account permanently locked like some systems do (requiring a security administrator to explicitly unlock it again. It just keeps a cache of banned IDs with lockout countdown times. Locking out by source IP is very rare. Sometimes a user will have an alternate account that they are authorized to use, and in the case of IPv4 NAT, dozens, hundreds, or even thousands of users would all be carrying the same source IP address. Mostly when I ban an IP it's from some really blatant offender such as Taiwan HINET, which seems to exist solely to provide Internet vandals a home.

    Again, the docs didn't say, but I'd expect that a banned ID would be presented with a 403 - FORBIDDEN page.

    Incidentally, since the lockout is by ID, not IP, public parts of the webapp should still be accessible to the locked-out user. However any attempt to access a secured URL would again trigger the server's login mechanism and if you them attempted to login using the banned ID, the login would be rejected.
     
    Being a smart alec beats the alternative. This tiny ad knows what I'm talking about:
    Gift giving made easy with the permaculture playing cards
    https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
    reply
      Bookmark Topic Watch Topic
    • New Topic